From get-rich-quick schemes targeting youth to sophisticated corporate ransomware attacks, cybercrime in Luxembourg is exploiting human vulnerability on an unprecedented scale, experts say.

During a recent RTL Radio roundtable, cybersecurity experts Muriel-Larissa Frank, Pascal Steichen, and Jeff Kaufmann highlighted the sophisticated tactics used by modern cybercriminals. The discussion focused on recognising online fraud and protecting personal data.

The perpetrators fundamentally exploit human psychology, explained Muriel-Larissa Frank, a researcher at the University of Luxembourg's Interdisciplinary Centre for Security. "Who doesn't want to get rich quick? This is another case of human weakness being exploited, namely the desire for financial independence," she noted.

According to the experts, these schemes are now targeting a broader demographic. Jeff Kaufmann from Bee Secure warned that young people are particularly vulnerable to new scams involving cryptocurrency investments. He described a common tactic where chatbots in WhatsApp groups pose as successful young investors to encourage victims to deposit money.

Pascal Steichen, Director General of the Luxembourg House of Cybersecurity, stressed the severe consequences of sharing personal documents on such platforms. He warned that uploaded identity cards could be used to fraudulently open bank accounts. Steichen emphasised the professionalisation of cybercrime, stating, "You can no longer rely on being able to recognise scams by poor Luxembourgish. Even there, we're already seeing much more sophisticated forms of attacks [...] that are startlingly authentic."

This shift in strategy was confirmed by Frank, who noted that while romance scams once primarily targeted those over 40, fraud now deliberately aims at the 20-to-30 age group. However, Kaufmann added a crucial caveat: "Anyone can be a target."

The scale of the problem is growing. Bee Secure has already registered over 400 contacts regarding scams in 2025, a significant increase from just over 300 in 2019. The service treats all incidents confidentially and is not obligated to report them to the police. For those who do wish to pursue legal action, Kaufmann advised gathering evidence. "Take screenshots," he recommended, to build a case for a formal police complaint.

Businesses also frequently targeted

The threat of cybercrime extends far beyond private individuals, with Luxembourgish companies facing a high volume of targeted attacks. The Luxembourg House of Cybersecurity (LHC) estimates that businesses in the country are subject to approximately 1,000 attack attempts monthly. In 40 to 50 severe cases per year, the LHC is called upon to provide a form of "first aid."

Human error remains a critical vulnerability. Steichen reported that in 70 to 80% of incidents, a successful breach originates from an employee within the company clicking a malicious link or performing another erroneous action that grants criminals access. Other common threats include "data hostage" situations, or ransomware.

To build resilience, Steichen advised companies to maintain secure, isolated backups of their data. "Should the system then be paralysed by a cyber-attack, one could access the secured copies," he explained. He emphatically stressed that no ransom should ever be paid to secure data release.

The financial and operational damage from such attacks can be crippling, encompassing the cost of replacing entire IT systems and significant business disruption due to downtime. High-profile cases at POST Luxembourg and the Banque internationale à Luxembourg (BIL) have recently highlighted this risk.

In the BIL case, a fake website was used to defraud customers. To avoid such traps, the experts recommended manually typing a bank's website address into the browser rather than clicking on search engine results, where criminals can pay to promote fraudulent sites in sponsored links. Using official banking apps provides an additional layer of security against fake websites.

Regarding emails, they advised carefully verifying the sender's full address for any signs of deception. Frank reiterated a fundamental rule: be deeply skeptical of offers that seem too good to be true, especially promises of quick investment returns.

Kaufmann emphasised the permanence of online actions. "The internet never forgets," he stated, warning that any shared information could be leveraged in a future scam. This is why Bee Secure conducts awareness campaigns in schools, targeting children as young as eight.

Ultimately, the experts concluded that a perfect defence is impossible. "There is no such thing as 100% protection," Steichen said, underscoring the critical need for organisations and residents to also prepare robust response plans for when attacks inevitably occur – an area where he believes Luxembourg still has room for improvement.